CVE-2026-22218
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-02-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainlit | chainlit | to 2.9.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive files on the server running Chainlit. An attacker with valid authentication can read arbitrary files accessible by the service, potentially exposing confidential information, configuration files, or other sensitive data. This can compromise the confidentiality and integrity of your system and data. [1]
Can you explain this vulnerability to me?
CVE-2026-22218 is an arbitrary file read vulnerability in Chainlit versions prior to 2.9.4. An authenticated user can send a custom Element with a user-controlled path value during the /project/element update flow. This causes the server to copy the referenced file into the attacker's session and generate an element identifier called chainlitKey. The attacker can then use this chainlitKey to retrieve the contents of any file readable by the Chainlit service via the /project/file/<chainlitKey> endpoint, leading to unauthorized disclosure of files. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your Chainlit instance is running a version prior to 2.9.4 and monitoring for suspicious authenticated requests to the /project/element update flow that include custom Elements with user-controlled path values. You can look for unusual POST requests to /project/element and subsequent GET requests to /project/file/<chainlitKey> endpoints. Specific commands depend on your environment, but for example, using curl to test the vulnerability would require authentication and crafting a custom Element payload. Since no explicit detection commands are provided, monitoring logs for these patterns is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chainlit to version 2.9.4 or later, which includes a security fix that sanitizes inputs for custom thread element updates to prevent this arbitrary file read vulnerability. If you use persistence features, apply the required database migration with the SQL command: `ALTER TABLE steps ADD COLUMN IF NOT EXISTS modes JSONB;`. Additionally, restrict authenticated user permissions to limit exposure until the upgrade is applied. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this arbitrary file read vulnerability in Chainlit affects compliance with common standards and regulations such as GDPR or HIPAA.